Tuesday, July 26, 2011

Mapping the Internet

 on  with No comments 
In ,  
One of my computer hobbies is distributed computing.  Distributed computing is a technique that allows a project go give volunteers a piece of software to run on their computer which will allow them to participate in the project. This piece of software will download data commonly referred to as a work unit.  It will use the volunteers computer to process the work unit, and then upload the results to the project.  The volunteer can choose how many computers to run this software on, and they can decide how much time to allocate to it.  Most projects award points for completed work and allows the formation of teams.  Both of these add a level of fun for the volunteer and leads to some dedicating great amounts of computing power that they probably wouldn't have purchased and continue to power without that carrot.

There are large number of distributing computing projects active on the Internet.  Folding@Home uses a custom client to conduct research in various biological areas such as Alzheimer's Disease.  Seti@Home uses the more common BOINC client to analyze radio signals captured by a large radio telescope for signs of extraterrestrial intelligence.  A user over at [H]ardForum maintains a comprehensive list of active distributing projects covering a wide range of research topics.

A project that I feel would be of interest to network and security engineers is The DIMES Project, which is ran by Tel Aviv University.  This is an ambitious project looking to "study the structure and topology of the Internet, with the help of a volunteer community."  In a nutshell, the project runs a small application on the volunteers computer that uses ping and traceroute from you to known hosts on the Internet to discover previously unidentified hosts.  Like other projects, volunteers are able to create a user account to track their contributions, can install the client on as many computers as they please, and can join a team for friendly competition.  What is really interesting about this project is that the client uses little to no CPU, instead it only consumes Internet bandwidth (stated at about 1KB/s per client).  This allows the client to run simultaneously with clients from other projects without interference.

Wednesday, July 20, 2011

Introduction to ACLs

 on  with No comments 
In , ,  
In any network device with the responsibility of moving data, the ability to inspect and filter data is absolutely critical. In routers running Cisco IOS software, this inspection and filtering is conducted by an Access Control List (hereafter referred to as ACL). Within an ACL, entries known as Access Control Entries (hereafter referred to as ACEs) describe which traffic to permit through, and which traffic to deny. In this paper, I will assume that you already have a basic understanding of IP addressing, VLSM, CIDR, subnet masks and wildcard mask. These building blocks are elementary topics in IP networking, but are crucial to the understanding of ACLs. I will also assume you have a basic knowledge of how to configure a router or switch running IOS software. The commands used may appear familiar to someone knowledgeable in Cisco PIX or ASA firewalls, but there are differences.

There are many different types of ACLs used in Cisco routers. The most basic are Standard ACLs. These simple ACLs can only filter traffic based on the source IP address of the packet. Building on the standard ACL is the extended ACL. These follow a similar format, but allow filtering based on the source and destination IP address and optionally, the source and destination port number of the packet. However, with additional functionality comes additional cost in terms of router memory and processer utilization. Named ACLs are simply extended ACLs which use names rather than numbers as identification and allow additional features such as line numbers and editing capability. Reflexive ACLs allow a router to inspect packets based on a basic session table, allowing the router to act as a rudimentary stateful firewall. Time-based ACLs allow permitting or denying traffic based on the time of day. And finally, Cisco routers running IOS version 12.0.5T and higher support Context -Based Access Control (better known as CBAC), which extends traditional ACLs to allow a router to provide full stateful packet inspection. While the more advanced ACL types are quite useful for a network administrator, the focus of this paper will be standard and extended ACLs.

Tuesday, July 12, 2011